==================================================================== CERT-Renater Note d'Information No. 2018/VULN116 _____________________________________________________________________ DATE : 28/03/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Struts versions 2.1.1 up to and including 2.5.14.1. ===================================================================== https://cwiki.apache.org/confluence/display/WW/S2-056 _____________________________________________________________________ S2-056 Created by Lukasz Lenart, last modified yesterday at 10:20 AM Summary A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin Who should read this All Struts 2 developers and users which are using the REST plugin Impact of vulnerability A DoS attack is possible when using XStream handler with the Struts REST plugin Maximum security rating Medium Recommendation Upgrade to Struts 2.5.16 Affected Software Struts 2.1.1 - Struts 2.5.14.1 Reporter Yevgeniy Grushka & Alvaro Munoz from HPE CVE Identifier CVE-2018-1327 Problem The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Solution Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. Backward compatibility No backward incompatibility issues are expected. Workaround Use Jackson XML handler instead of the default XStream handler as described here. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================